Hi Everyone!
I've got an ASA5508 managed through FMC and a c3560 core switch with most of the SVIs on the core handling the inter VLAN routing. The core switch default gateway is pointed to the internal ASA interface.
I'm considering doing a redesign of the connection between the core and ASA, and I'd like to do a port-channel and have subinterfaces as the default gateways on the ASA, to better restrict traffic between VLANs since right now it is wide open. Our other sites are connected via DMVPN, using HSRP internal and using EIGRP to redistribute routes between sites.
Currently, I've got the following on the core...
interface Vlan8 ip address 192.168.8.41 255.255.255.0 standby 8 ip 192.168.8.1 standby 8 priority 200 standby 8 preempt ! interface Vlan9 ip address 192.168.9.41 255.255.255.0 standby 9 ip 192.168.9.1 standby 9 priority 200 standby 9 preempt ! interface vlan 50 ip address 192.168.50.41 255.255.255.0 standby 50 ip 192.168.50.1 standby 50 priority 200 standby 50 preempt ! ip route 0.0.0.0 0.0.0.0 10.101.8.254 ip default-gateway 10.101.9.1
On the ASA...
Gi1/1 Inside 192.168.8.254 Po2.50 ServerMgmt 192.168.50.5
ASA policies seem fine, as I have it set to any/any. If I set the VLAN 50 host gateway to .1 I can access it just fine, but once I set it to .5 (the ASA) it's not accessible. I can see the routes being redistributed to our other sites, but if I try to reach a host on the VLAN 50 subnet, it times out once it reaches this core.
Looking at the ASA logs it looks like SOME of the traffic makes it through the ASA, but only asymmetrically. My initial thought was PBR, but I wasn't sure if there was a better way to handle this. Thanks in advance!
No comments:
Post a Comment